Web Service over SSL + X.509 returns SSL/TLS error

1
votes

I have written a asmx web service in Visual Studio 2013. The WS is connecting to a provider using HTTPS and X.509 for authentication.

I have tried connecting using "basicHttpBinding" and "basicHttpsBinding" (Web.config) but always gets the error below.

Error: System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'www.providers-site.se'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetResponse() at ....

I have created a behaviour for the X.509 and a binding for the endpoint, see below. What am I doing wrong? Would I benefit from using the wsHttpBinding instead?

<behaviors>
   <endpointBehaviors>
     <behavior name="CertBehaviour">
       <clientCredentials>
         <clientCertificate findValue="MyCertCN" storeLocation="LocalMachine"
                            storeName="My" x509FindType="FindBySubjectName" />
          <serviceCertificate>
          <authentication certificateValidationMode="PeerTrust" />
          </serviceCertificate>
       </clientCredentials>
     </behavior>
   </endpointBehaviors>
 </behaviors>

...

<basicHttpsBinding>
   <binding name="mySoapBinding">
     <security mode="Transport">
       <transport clientCredentialType="Certificate" />
        <message clientCredentialType="Certificate" />
     </security>
   </binding>
  </basicHttpsBinding>

...

<client>
  <endpoint address="https://www.providers-site.se/na/na_epersondata/services/personpostXML"
                behaviorConfiguration="CertBehaviour" binding="basicHttpsBinding"
                bindingConfiguration="mySoapBinding" contract="webservice.NaPersonPostXMLWS"
                name="personpostXML" />
</client>

I did run a trace. Thanks to Mike Cheel! See trace here.

Does this trace mean the certificate is not accepted by the remote host (provider)? (rows 67-71) (Since "AUTHENTICATE_REQUEST NOTIFICATION_CONTINUE" and "AnonymousAuthenticationModule" starts after certificate authentication.)

CertificateMappingAuthenticationModule NOTIFY_MODULE_START RequestNotifications AUTHENTICATE_REQUEST
AUTH_START Authentication MapCliCert
AUTH_END Authentication
CertificateMappingAuthenticationModule NOTIFY_MODULE_END RequestNotifications AUTHENTICATE_REQUEST NOTIFICATION_CONTINUE  
AnonymousAuthenticationModule NOTIFY_MODULE_START RequestNotifications  AUTHENTICATE_REQUEST
1
c#asp.netweb-serviceswcfssl
Hi Mike! Sorry, I am not very comfortable with IIS7. How do I perform a trace? I looked at the link below, but my screen looks nothing like the screen shot in section "To disable ASP:". iis.net/learn/troubleshoot/using-failed-request-tracing/…Kermit
I did run a trace, but cannot see where it goes wrong. What should I look for?Kermit

1 Answers

1
votes

Ensure you have the Certificate chain of the providers-site service in your asmx machine's trusted root store. you can find out by typing the ur lin the browser:

https://www.providers-site.se/na/na_epersondata/services/personpostXML

and see its certificate chain. Browsers also display warnings.

another option to solve certificate errors temporarily is to try this:

ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => 
    {
     // put a breakpoint here
     var tempSslErrors = sslPolicyErrors;
     return  true;
    }

If you look at the sslPolicyErrorsit might give some indication.